﻿<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Getmodelfile.aspx.cs" Inherits="Asp_getmodelfile" %>

<%    
    //The path to the root folder, assuming this file is placed in root/asp/GetModelfile.aspx
    const string g_rootpath = "../";    
    const string g_queryUrl = "url";
    const string g_queryName = "name";
    //What folders that is allowed by this asp file incase some malicious user tries to call this asp file to get other files    
    string[] g_allowedFolders = { "Models/", "Shaders/" };
    //The allowed file extensions as an additional layer of security so this script couldn't be used to fetch other files
    string[] g_allowedFileExtensions = { "txt", "obj", "json", "shader" };
    //If the name of the file is not allowed certain characters which in this case is /\ which is new folder
    char[] g_notAllowedCharsInName = { '/', '\\' };
    bool g_allowedFolder = false, g_allowedFilenameChars = false, g_allowedFileExtension = false;   

    string g_folderurl = "", g_filename = "";

    string g_responseString = "";
    
    try
    {
        //First check if the folder is valid
        //The url to the folder where the file is, needs to be validated so it's not a folder that -
        //- is not meant to be accessed by this script
        g_folderurl = Request.QueryString.Get(g_queryUrl);
        //Validates the folder url
        for (int i = 0; i < g_allowedFolders.Length; i++)
        {
            if (g_folderurl == g_allowedFolders[i])
            {
                g_allowedFolder = true;
                break;
            }
        }
        //Then check that the filename is valid
        g_filename = Request.QueryString.Get(g_queryName);

        //Check if the filename has any / \ in it, if it doesn't IndexOfAny will return -1
        if (g_filename.IndexOfAny(g_notAllowedCharsInName) == -1)
        {
            g_allowedFilenameChars = true;
        }        
        //Last check that the filextension is valid
        string[] g_fileExtensionParts = g_filename.Split('.');
        string g_fileExtension = g_fileExtensionParts[g_fileExtensionParts.Length - 1];

        for (int i = 0; i < g_allowedFileExtensions.Length; i++)
        {
            if (g_fileExtension == g_allowedFileExtensions[i])
            {
                g_allowedFileExtension = true;
                break;
            }
        }

    }
    catch (Exception e)
    {
        g_allowedFileExtension = false;
        g_allowedFolder = false;
        g_allowedFilenameChars = false;

        g_responseString += "the querystring was in bad format <br/>";
    }
   
    
    //If the folder url wasn't allowed, or the name had illegal chars in it or the file extension wasn't allowed
    if (!g_allowedFileExtension || !g_allowedFilenameChars || !g_allowedFolder)
    {
        //Response.Write("url was not found");
        g_responseString += "url was not found";
    }
    else
    {          
        string g_url = Server.MapPath(g_rootpath + g_folderurl + g_filename);
        
        if (System.IO.File.Exists(g_url))
        {            
            using (System.IO.StreamReader sr = new System.IO.StreamReader(g_url))
            {
                string g_fileContent = sr.ReadToEnd();

                g_responseString += g_fileContent;
                
            }
        }
        else
        {
            g_responseString = "url was not found";            
        }
    }

    Response.Write(g_responseString);    
%>